Use and Care of Generic Logins in an Oracle E- Business ... · PDF fileUse and Care of Generic Logins in an Oracle E-Business Suite Environment Presented by: Jeffrey T. Hare, CPA CISA

Use and Care of Generic Logins in an Oracle E-

Business Suite Environment

Presented by:

Jeffrey T. Hare, CPA CISA CIA

Webinar Logistics

Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen

The small window icon toggles between a windowed and full screen mode

Ask questions throughout the presentation using the chat dialog

Questions will be reviewed and answered at the end of the presentation; I’ll open the lines for interactive Q&A

During the presentation, we will be conducting a number of polls, please take the time to respond to all those that are applicable

CPE will only be give to those that answer at least 3 of the 4 polls

© 2010 ERPS / ERPRA

Overview:

Introduction

Audit Trail Overview

Seeded Generic Users

Custom Generic Users

Other Recommendations

Wrap Up

Q&A

Presentation Agenda


IntroductionsJeffrey T. Hare, CPA CISA CIA

•Founder of ERP Seminars and Oracle User Best Practices Board

•Written various white papers on Internal Controls and Security Best Practices

in an Oracle Applications environment

•Frequent contributor to OAUG‟s Insight magazine

•Experience includes Big 4 audit, 6 years in CFO/Controller roles – both as

auditor and auditee

•In Oracle applications space since 1998– both as client and consultant

•Founder of Internal Controls Repository – public domain repository

•Author Oracle E-Business Suite Controls: Application Security Best Practices

•Contributing author Best Practices in Financial Risk Management

•Published in ISACA‟s Control Journal (twice) and ACFE‟s Fraud Magazine


Poll 1: How confident are you that your generic accounts are all

identified and proper monitoring has been put in place





•Disconnect between application and database layers

•Need to be concerned about application access as well as

database access

•Audit trail only kept where application is built to do so

•Lack of audit all functionality to monitor privileged users

•Lack of detailed audit trail throughout the application

•In some cases as is the case with HR, update versus correct

•Example: change(s) to columns in a table can cause confusion

related to changes made - Journal Sources example


Audit Trail Technologies

Overview:

•Row Who / Alerts

•Sign On Audit

•Snapshot

•Log

•Triggers



Row Who / Alerts

•What is it:•Created by, creation date, last updated by, last updated date

•When it is useful•Monitoring things you don‟t expect to change (however,

when it does…)

•Within an audit period, creation date and last updated date

•Transaction monitoring (high volume) – some continuous

controls monitoring (CCM) requirements



Sign On Audit

•What is it: •Profile option “SignOn:Audit Level” – set to Form

•When is it useful:•Tracking user logins and use of professional forms

•Tracking login of generic users such as SYSADMIN, job

scheduling users where activity should be limited by policy

and procedure



Snapshot

•What is it: •Comparison of row who information between instances or

between two points in time (prod versus 12/31 version)

•When is it useful:•Identifying when something is changed that you wouldn‟t

expect

•When comparisons are pre-mapped such as tools that

compare objects between instances or versions

•Application support to identify when there is a configuration

change (i.e. what broke the process)



Logs

•What are they: •Various types of incremental data

•Could be traffic flowing across the network or technology

inherent to the database (redo or for mirroring)

•When are they useful:•High volume transaction tables

•Can be used for all audits, but may have limitations



Triggers•What are they:

•Core database technology

•Use by System Administrator audit trail

•Advanced software packages:

•May allow metadata to be mapped

•Usually have a central repository for easier reporting and

data management

•May allow for alerting of information

•When are they useful:•Setups (key control configurations), Master Data, Security,

Development; SQL Forms



See full webinar “Building an Audit Trail in

an Oracle E-Business Suite Environment

at: http://www.erpseminars.com/WebinarAccessForm.html





Sources•11i: Metalink Note 189367.1

•R12: Metalink Note: 403537.1

•ERP Seminars‟ Internal Controls Repository

(end users only)

•SQL – users w/o employee assigned

•Stale users (users not logged in recently)



Known Seeded Generic Users:'GUEST','AME_INVALID_APPROVER','ANONYMOUS','APP

SMGR', 'ASGADM','ASGUEST','AUTOINSTALL','BOL-OPS',

'BOL-SETUP','BOL-SUPPORT','CONCURRENT

MANAGER','FEEDER SYSTEM',

'IBE_ADMIN','IBE_GUEST','IBEGUEST','IEXADMIN',

„INITIALSETUP','IRC_EMP_GUEST','IRC_EXT_GUEST','MO

BILEADM','MOBADM','MOBDEV','OP_CUST_CARE_ADMI

N','OP_SYSADMIN', ' PORTAL30','

PORTAL30_SSO',‟STANDALONE BATCH

PROCESS','SYSADMIN', 'WIZARD','XML_USER'



Sample SQL Statement:Users w/o employee logins assigned

Purpose: Identify possible consultants or generic

users

Select user_name, start_date, end_date

From fnd_user

Where end_date is null and employee_id is null



Disposition of seeded users:•End date, where possible, depending on

applications being used

•Test, test, test

•Do not end date GUEST or SYSADMIN

•Monitor activity of GUEST and SYSADMIN


Seeded Generic User Accounts

For SysAdmin:•Assign only the System Administrator responsibility and User

Management role to the SYSADMIN login. If there are any other

responsibilities or roles, they should be end-dated.

•Review the active assigned responsibilities at least monthly or,

preferably develop an alert or detailed audit trail (log or trigger based)

to monitor the assignment of new responsibilities and roles or the

removal of end dates on disabled responsibilities or roles.

•Require the use of the SYSADMIN login to be manually logged each

time it is used.

•Establish a policy or develop security standards for the owner of the

SYSADMIN login to understand the SYSADMIN login should be used

only when it is absolutely required by Oracle.



For SysAdmin:•Treat the SYSADMIN password similarly to Apps - one person (or

small group) should know the password, and the password should be

sealed in an envelope and held securely by an IT manager.

•Reset the SYSADMIN password according to a corporate password

reset policy (I have seen some clients not reset their SYSADMIN

password) - note that even if the password expires, the SYSADMIN

login is still active.

•Most importantly, NEVER end date the SYSADMIN login as it is

needed internally in many places. End-dating the SYSADMIN login

may shut down your system or certain processes within your system

(i.e. workflow processes).



For SysAdmin:•can be performed using a named login and the System Administrator

responsibility should NEVER be done using the SYSADMIN login.



For Guest:•Cannot log in as Guest

•No responsibilities need be assigned

•Similar monitoring to SYSADMIN

•Follow Metalink Note: 443353.1 for

maintenance of GUEST password


Poll 2: Which statement best represents my organization’s disposition of seeded generic

logins





Job Scheduling user•The only responsibility granted to the user should be a job

scheduling responsibility with a single function “Requests:

Submit” assigned to the menu. No other functions are to be

granted, particularly any functions that update data or allow

access to sensitive data. If support users need access to other

forms, they should access those forms through their own named

login and “Support” responsibilities designed for supporting the

applications.



Job Scheduling user•Review the active assigned responsibilities to make sure no other

responsibilities have been assigned to this login no less frequently

than monthly. If the person(s) responsible for maintaining this

login also has access to the System Administrator responsibility,

consider developing an Alert or detailed audit trail to monitor for

new responsibilities or roles being assigned or for assigned

responsibilities or roles having their end date removed.



Job Scheduling user•Narrowly define the requests and reports that this responsibility

can use to only schedule jobs. No reports with sensitive data

should be contained in the request group.

•Changes to security related to this login should be required to go

through the Change Management process. This would include

changes to the responsibility definition, underlying menu, and the

request group.





11i Password Decryption Risk

Even for those users that are end-dated, make

sure you change the password from the default

password to avoid the decryption risk outlined in

Integrigy‟s white paper “Oracle Applications 11i

Password Decryption “. Find out more at:

www.integrigy.com or email me for a copy of the

white paper.


http://www.integrigy.com/

Poll 3: The recommendations outlined in this webinar are

consistent with current internal and external audit recommendations


Wrap Up


Wrap Up

Recap•The following is a recap of the recommendations:

•Monitor unsuccessful logins

•Setup up SignOn Audit

•Monitor security changes– requires log or trigger-based

auditing mechanism for activity in user assignments (roles

and responsibilities), menus, request groups, roles

•End-date those logins not needed (after thorough testing)

•Assign accountability for those that need to remain active

•Have users log activity and review actual activity versus

sign-on audit reports

•Policies, standards, and procedures should reflect use of

generic logins (seeded and custom)


ERP Risk Advisors Services

•Free one-hour consultation

•On-site seminars (1 - 2 days) – custom tailored to your company‟s

needs as well as various web-based seminars

•RFP / RFI management for Oracle-related GRC software

•SOD / UAC Third Party software projects / remediation

•GRC Software implementation

•Security and internal controls design and implementation for pre- and

post-implementation

•Pre-defined level I and level II assessment services – see:

http://www.erpseminars.com/Services.html


Q & A


Poll 4: I'd like to follow up this webinar with:


Contact Information

Jeffrey T. Hare, CPA CISA CIA

Cell: 970-324-1450

Office: 970-785-6455

E-mail: [email protected]

Websites: www.erpseminars.com, www.oubpb.com

Oracle Internal Controls and Security listserver (public

domain listsever) at http://groups.yahoo.com/group/OracleSox

Internal Controls Repository (end users only) http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/


Best Practices Caveat

Best Practices Caveat

The Best Practices cited in this presentation have not been

validated with your external auditors nor has there been any

systematic study of industry practices to determine they are „in

fact‟ Best Practices for a representative sample of companies

attempting to comply with the Sarbanes-Oxley Act of 2002 or

other corporate governance initiatives mentioned. The Best

Practice examples given here should not substitute for accounting

or legal advice for your organization and provide no

indemnification from fraud, material misstatements in your

financial statements, or control deficiencies.


Documents

Use and Care of Generic Logins in an Oracle E- Business ... · PDF fileUse and Care of Generic Logins in an Oracle E-Business Suite Environment Presented by: Jeffrey T. Hare, CPA CISA